Disclosing genetic information to at-risk relatives: new Australian privacy principles, but uniformity still elusive

Margaret F A Otlowski
Med J Aust 2015; 202 (6): 335-337. || doi: 10.5694/mja14.00670
Published online: 23 March 2015


  • There is growing understanding of the need for genetic information to be shared with genetic relatives in some circumstances.
  • Since 2006, s 95AA of the Privacy Act 1988 (Cwlth) has permitted the disclosure of genetic information to genetic relatives without the patient's consent, provided that the health practitioner reasonably believes that disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of the genetic relatives.
  • Enabling guidelines were introduced in 2009. These were limited to the private sector, and excluded doctors working in the public sector at both Commonwealth and state and territory levels.
  • Privacy legislation was amended in March 2014, and new Australian Privacy Principles, which replace the National Privacy Principles and Information Privacy Principles, now cover the collection and use of personal information.
  • The Privacy Act and the Australian Privacy Principles now extend to practitioners employed by the Commonwealth but not to health practitioners working in state and territory public hospitals.
  • In this article, I review these legislative developments and highlight the implications of the lack of uniformity and the consequent need for a collaborative, uniform approach by states and territories.

Recent reforms to the Privacy Act 1988 (Cwlth)1 have led to a single set of Australian Privacy Principles (APPs), replacing the former National Privacy Principles (NPPs) and Information Privacy Principles (IPPs). Although a key objective of the reforms was to ensure greater consistency on privacy regulation in Australia,2 the law surrounding disclosure of genetic information to at-risk genetic relatives varies across Australia.

Brief legislative history

While patient autonomy features strongly in health law, a legislative exception to a patient's right to privacy was introduced in 2006 as an amendment to the Privacy Act.2-4

Former NPP 2.1(ea) authorised the disclosure by health practitioners of genetic information to a genetic relative without the patient's consent if the health practitioner reasonably believed that disclosure was necessary to lessen or prevent a serious threat to the life, health or safety of an individual who is a genetic relative. The amended Privacy Act enabled the National Health and Medical Research Council to publish guidelines (approved by the Privacy Commissioner) on the use and disclosure of genetic information to a patient's genetic relatives under s 95AA of the Privacy Act in 2009.5 The substance of this approach is similar to that adopted in the United Kingdom.6

In 2014, the original guidelines were revised to comply with the Privacy Act reforms, but the substantive aspects remain unchanged.7

Onerous requirements are imposed on health practitioners who disclose genetic information to a genetic relative notwithstanding the patient's refusal to provide consent. Guideline 1 reflects the wording of s 95AA — that use or disclosure of genetic information without consent may proceed only when the authorising medical practitioner has a reasonable belief that this is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative. The guidelines strongly urge the practitioner faced with this dilemma to strive to win patient consent for disclosure. The guidelines do not have the power of law, but practitioners can avoid actionable complaint by following them closely.

Experience in practice

The importance of the disclosure guidelines is best illustrated through an example. In families where there is a strong history of breast cancer, genetic testing is likely to be recommended to establish whether female genetic relatives of a patient affected carry the BRCA1 or BRCA2 mutation. Drawing on scenario 2 in the revised guidelines,7 a woman whose maternal grandmother had died of breast cancer at a young age and had tested positive for a mutation in the BRCA2 gene may be advised to undertake genetic testing for this mutation. In the event that the test proves positive, this information would be relevant for her genetic relatives (females and males, who can also be affected by breast cancer), and these relatives should be advised to make contact with a genetics service. In some instances, the patient may not wish to share this information. For example, as in the guidelines scenario, the patient may be willing to advise her own daughters but not other relevant family members (eg, sisters). In the event that there was a sustained refusal to allow any of the relevant genetic relatives to be contacted, the guidelines could be used to allow the patient's health practitioner to make disclosure to those relatives without the consent of the patient, as the threshold requirement of disclosure being “necessary to lessen or prevent a serious threat to the life, health or safety of his or her genetic relatives” would be satisfied.7

The actual use by Australian health practitioners of the disclosure exception in the legislation and accompanying guidelines is unclear. There appears to be some uncertainty regarding the operation of aspects of the legislation. Bonython8 and Arnold9 have suggested that some misunderstandings could arise. For example, doctors may think that if a patient declines to consent to notify their relatives, disclosure by the doctor may then occur. However, the preconditions for disclosure as set out in the guidelines require that the doctor counsels the patient to ensure that they have made an informed decision. In particular, guideline 3 states that “Reasonable steps must be taken to obtain the consent of the patient or his or her authorised representative to use or disclose genetic information” and gives guidance on appropriate processes when consent is withheld by, for example, respecting the patient's decision by allowing time for review of the decision and considering referral of the patient to a genetics service. It has also been suggested that there is insufficient differentiation between genetic and familial information, with the result that genetic information which cannot pose a risk to genetic relatives may be disclosed.8 This suggestion ignores the preconditions that must be met before disclosure without consent can be made, including guideline 1 noted above, which clearly confines disclosure to heritable information that is actionable.

Further, the guidelines seek to minimise the risks to the privacy of the genetic relative, specifying that disclosure should be limited to such information as necessary to communicate the increased risk. The sample letter, included in the guidelines, suggests that a general indication of genetic risk in the family will be given (where possible avoiding identification of the patient), thereby giving the genetic relative the opportunity to follow up and obtain further information if they wish. The guidelines (at 3.4) and the Privacy Act (s 16A) allow an APP entity to collect personal information (including contact details for genetic relatives) if it is unreasonable or impracticable to obtain the individual's consent to that collection, including circumstances where a person refuses to give consent to disclosure, and where that collection is necessary to give effect to disclosure to a genetic relative under the Privacy Act and guidelines.

The initial amendments allowing disclosure were limited to health practitioners in the private sector; there was no equivalent provision applying to health practitioners working for Commonwealth government agencies. Further, as the Commonwealth does not have the power to regulate state and territory authorities, which include public hospitals, it was always clear that to achieve comprehensive national coverage, parallel state and territory legislation would also be required.2

2014 Privacy Act amendments

More recently, privacy reforms have been introduced under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cwlth), commencing March 2014. This was the first stage of implementation of the 2008 recommendations of the Australian Law Reform Commission.10 The amending legislation has led to the introduction of the APPs, which consolidate and replace the IPPs and NPPs, and cover the use and disclosure of health information under s 16B(4) of the Privacy Act. Revisions to the enabling s 95AA guidelines were also required; the 2009 version was rescinded and replaced with new guidelines in 2014,7 which replace all references to the NPPs with references to the new APPs. The recent privacy amendments have extended the exemption in relation to disclosure to health practitioners working for Commonwealth government agencies. However, there is still no uniformity because the exemption does not cover state and territory authorities, which include public hospitals.

A call for uniformity

A uniform approach to this issue is surely desirable. Data from the Australian Institute of Health and Welfare indicate that, of the employed medical practitioners in Australia in 2012, 29 834 worked in the public sector, 31 555 in the private sector and 16 497 in both.11 Currently, there is potential for health practitioners working across institutions and jurisdictions to be subject to conflicting regulations whereby they are legally able to disclose genetic information to genetic relatives in their capacity as health practitioners in the private sector but not if employed by a state or territory public health entity. Further, families may be spread across a number of states and it would be desirable if health practitioners only had to comply with a single uniform system. To ensure uniformity across Australia, proactivity is required from the states and territories to allow for disclosure to genetic relatives by health practitioners working for public hospitals. There are two options for securing a more consistent, national approach. States and territories could legislate to adopt s 16B(4) and s 95AA of the Privacy Act and the guidelines for their use or, alternatively, make their own provision through state and territory privacy legislation and guidelines.

The only states to currently make provision for disclosure of health information are South Australia (s 93(3)(c) and (e) of the Health Care Act 2008) and Victoria (Health Privacy Principle [HPP] 2.2(h)(i) of the Health Records Act 2001). However, the South Australian provision is cast in general terms and is not specific to genetic information, while the Victorian provision has limited applicability to genetic information as it requires the risk to be both serious and imminent before disclosure is permitted.

New South Wales passed an amending Act to the Health Records and Information Privacy Act 2002 (the Health Legislation Amendment Act 2012), which specifically covers the disclosure of genetic information. This amends the NSW HPPs in the Health Records and Information Privacy Act, making them consistent with the Commonwealth s 95AA guidelines.12 This will allow disclosure of genetic information to genetic relatives when there is a reasonable belief that this is necessary to lessen or prevent a serious threat to life, health or safety of genetic relatives (HPP 11(1)(c1)).


It is now incumbent on other states and territories to follow, by legislatively adopting the Commonwealth legislation and guidelines or enacting their own legislation and guidelines to allow for disclosure in appropriate circumstances. It is nonsensical that the capacity for a health practitioner to disclose genetic information to genetic relatives without the patient's consent depends on whether they work in the private or public sector. Clearly, a more uniform approach should be the goal, consistent with the thrust of the Australian Law Reform Commission recommendations,10 but it requires a cooperative approach to be taken on this important issue.

Provenance: Not commissioned; externally peer reviewed.

  • Margaret F A Otlowski

  • University of Tasmania, Hobart, TAS.

Competing interests:

No relevant disclosures


remove_circle_outline Delete Author
add_circle_outline Add Author

Do you have any competing interests to declare? *

I/we agree to assign copyright to the Medical Journal of Australia and agree to the Conditions of publication *
I/we agree to the Terms of use of the Medical Journal of Australia *
Email me when people comment on this article

Online responses are no longer available. Please refer to our instructions for authors page for more information.